Merge branch 'ah'

Brings support for Security Associations integrity protected by the
Authentication Header protocol, both to IKEv1 and IKEv2. Currently only plain
AH is supported, but no (now deprecated) RFC2401 style AH+ESP bundles.

4 files changed, 25 insertions, 12 deletions

diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index edfa8a9c3..2e10f324b 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -131,19 +131,14 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
  * parse a proposal string, either into ike_cfg or child_cfg
  */
 static void add_proposals(private_stroke_config_t *this, char *string,
-						  ike_cfg_t *ike_cfg, child_cfg_t *child_cfg)
+				ike_cfg_t *ike_cfg, child_cfg_t *child_cfg, protocol_id_t proto)
 {
 	if (string)
 	{
 		char *single;
 		char *strict;
 		proposal_t *proposal;
-		protocol_id_t proto = PROTO_ESP;
 
-		if (ike_cfg)
-		{
-			proto = PROTO_IKE;
-		}
 		strict = string + strlen(string) - 1;
 		if (*strict == '!')
 		{
@@ -178,11 +173,11 @@ static void add_proposals(private_stroke_config_t *this, char *string,
 	}
 	if (ike_cfg)
 	{
-		ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+		ike_cfg->add_proposal(ike_cfg, proposal_create_default(proto));
 	}
 	else
 	{
-		child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+		child_cfg->add_proposal(child_cfg, proposal_create_default(proto));
 	}
 }
 
@@ -270,7 +265,7 @@ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg
 							 msg->add_conn.fragmentation,
 							 msg->add_conn.ikedscp);
 
-	add_proposals(this, msg->add_conn.algorithms.ike, ike_cfg, NULL);
+	add_proposals(this, msg->add_conn.algorithms.ike, ike_cfg, NULL, PROTO_IKE);
 	return ike_cfg;
 }
 
@@ -1159,8 +1154,16 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
 	add_ts(this, &msg->add_conn.me, child_cfg, TRUE);
 	add_ts(this, &msg->add_conn.other, child_cfg, FALSE);
 
-	add_proposals(this, msg->add_conn.algorithms.esp, NULL, child_cfg);
-
+	if (msg->add_conn.algorithms.ah)
+	{
+		add_proposals(this, msg->add_conn.algorithms.ah,
+					  NULL, child_cfg, PROTO_AH);
+	}
+	else
+	{
+		add_proposals(this, msg->add_conn.algorithms.esp,
+					  NULL, child_cfg, PROTO_ESP);
+	}
 	return child_cfg;
 }
 
diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
index a5825519b..ea168058f 100644
--- a/src/libcharon/plugins/stroke/stroke_list.c
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -245,6 +245,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 				u_int16_t encr_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED;
 				u_int16_t encr_size = 0, int_size = 0;
 				u_int16_t esn = NO_EXT_SEQ_NUMBERS;
+				bool first = TRUE;
 
 				proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
 										&encr_alg, &encr_size);
@@ -256,6 +257,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 				if (encr_alg != ENCR_UNDEFINED)
 				{
 					fprintf(out, "%N", encryption_algorithm_names, encr_alg);
+					first = FALSE;
 					if (encr_size)
 					{
 						fprintf(out, "_%u", encr_size);
@@ -263,7 +265,11 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 				}
 				if (int_alg != AUTH_UNDEFINED)
 				{
-					fprintf(out, "/%N", integrity_algorithm_names, int_alg);
+					if (!first)
+					{
+						fprintf(out, "/");
+					}
+					fprintf(out, "%N", integrity_algorithm_names, int_alg);
 					if (int_size)
 					{
 						fprintf(out, "_%u", int_size);
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index 88f73f3b0..3adebb523 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -186,6 +186,7 @@ static void stroke_add_conn(private_stroke_socket_t *this, stroke_msg_t *msg)
 	pop_string(msg, &msg->add_conn.xauth_identity);
 	pop_string(msg, &msg->add_conn.algorithms.ike);
 	pop_string(msg, &msg->add_conn.algorithms.esp);
+	pop_string(msg, &msg->add_conn.algorithms.ah);
 	pop_string(msg, &msg->add_conn.ikeme.mediated_by);
 	pop_string(msg, &msg->add_conn.ikeme.peerid);
 	DBG2(DBG_CFG, "  eap_identity=%s", msg->add_conn.eap_identity);
@@ -193,6 +194,7 @@ static void stroke_add_conn(private_stroke_socket_t *this, stroke_msg_t *msg)
 	DBG2(DBG_CFG, "  xauth_identity=%s", msg->add_conn.xauth_identity);
 	DBG2(DBG_CFG, "  ike=%s", msg->add_conn.algorithms.ike);
 	DBG2(DBG_CFG, "  esp=%s", msg->add_conn.algorithms.esp);
+	DBG2(DBG_CFG, "  ah=%s", msg->add_conn.algorithms.ah);
 	DBG2(DBG_CFG, "  dpddelay=%d", msg->add_conn.dpd.delay);
 	DBG2(DBG_CFG, "  dpdtimeout=%d", msg->add_conn.dpd.timeout);
 	DBG2(DBG_CFG, "  dpdaction=%d", msg->add_conn.dpd.action);
diff --git a/src/libcharon/plugins/updown/updown_listener.c b/src/libcharon/plugins/updown/updown_listener.c
index 0268c88f3..3c3994b81 100644
--- a/src/libcharon/plugins/updown/updown_listener.c
+++ b/src/libcharon/plugins/updown/updown_listener.c
@@ -311,6 +311,7 @@ METHOD(listener_t, child_updown, bool,
 				"PLUTO_CONNECTION='%s' "
 				"PLUTO_INTERFACE='%s' "
 				"PLUTO_REQID='%u' "
+				"PLUTO_PROTO='%s' "
 				"PLUTO_UNIQUEID='%u' "
 				"PLUTO_ME='%H' "
 				"PLUTO_MY_ID='%Y' "
@@ -336,6 +337,7 @@ METHOD(listener_t, child_updown, bool,
 				 config->get_name(config),
 				 iface ? iface : "unknown",
 				 child_sa->get_reqid(child_sa),
+				 child_sa->get_protocol(child_sa) == PROTO_ESP ? "esp" : "ah",
 				 ike_sa->get_unique_id(ike_sa),
 				 me, ike_sa->get_my_id(ike_sa),
 				 my_client, my_client_mask,